Google senses proxy requests to warn users of malware infestation

Google has just started warning people with certain malware that their …

Google's search engine has started warning users that they've installed certain malware. "Your computer appears to be infected," a banner will proclaim across the top of every Google search whenever the malware is detected. Clicking a link in the banner leads to instructions on how to find an appropriate anti-virus program to remove the software.

The malware that Google is detecting routes certain Web requests through proxy servers controlled by the criminals behind the malware. Any search made through one of these proxies will receive the warning message. Use of the proxies is generally transparent to users; typically, the malware modifies the user's hosts file. The hosts file is used to map domain names to IP addresses, so that domain names can be looked up without having to use a DNS server.

It's likely that the malware authors will respond to this measure soon enough, however. The malicious proxy servers are already used to rewriting pages to include ads and interfere with access to anti-virus software; those proxy servers can equally remove Google's warning message.

One potential problem is that rather than recommend or link to specific anti-virus software, Google refers users simply to a Google search for "antivirus." Such searches can direct users to the abundant fake anti-virus software that is available on the Web; in attempting to fix the problem, users may just end up making things worse. Specific recommendations or hardcoded links to genuine anti-virus software might risk claims of favoritism, but it would probably be safer.

Worse, these warning messages run counter to training and advice that's often given to Web users. Due to the proliferation of fake anti-virus scams, users are strongly advised to ignore any website that's telling them they have a virus and that they should just download a program to fix their computer. To be effective, Google's new malware detection requires and encourages them to ignore this usually sound advice; taken in isolation, Google's warnings are sensible progress, but the broader implications could yet be negative.

The link telling users to search for "antivirus" uses Google's encrypted (https) search, which means that the malware would also have to perform a MITM attack on the SSL connection. The malware would have to put extra effort into it to be able to hijack those (certainly not an insurmountable barrier, but does raise the bar). The same sentence that says to search for it also includes a link to tools that Google suggests (Malwarebytes, Spyware Doctor, and Mac Scan). The following sentences in that paragraph warns people doing a search about "fakes" and gives some tips to spot them.

Unless Google updated the page since the Ars article was written, it seems that the article is unnecessarily harsh on Google. This is definitely not the golden bullet, but at least it's an effort by Google to improve the situation.

The link telling users to search for "antivirus" uses Google's encrypted (https) search, which means that the malware would also have to perform a MITM attack on the SSL connection. The malware would have to put extra effort into it to be able to hijack those (certainly not an insurmountable barrier, but does raise the bar). The same sentence that says to search for it also includes a link to tools that Google suggests (Malwarebytes, Spyware Doctor, and Mac Scan). The following sentences in that paragraph warns people doing a search about "fakes" and gives some tips to spot them.

Unless Google updated the page since the Ars article was written, it seems that the article is unnecessarily harsh on Google. This is definitely not the golden bullet, but at least it's an effort by Google to improve the situation.

If Google cured cancer there would be an article about all those wig sellers/makers who were not warned in time and thus there is now a whole bunch of wigs that are going to waste.

Unless Google updated the page since the Ars article was written, it seems that the article is unnecessarily harsh on Google. This is definitely not the golden bullet, but at least it's an effort by Google to improve the situation.

The article wasn't harsh enough. This is an absoultely terrible idea. The malware authors can not only block/redirect that link, but they could spoof it too. "What's this? Google says I have a problem that they will help me with if I click HERE? Thanks google -- your scan detected I have 12 trojans and that I can install XPscan Pro for free to fix it! Yay Google!"

Terrible

Terrible

Maybe going through the browser to thwart the redirect or warn users of malware, but again, that can be spoofed.

I really approve of this measure. It really is about the only thing Google can do from their end when they see that something weird is going on from the other side. As valid of the complaints that the users will be redirected when they search for "antivirus" are, the situation still isn't much worse for the user than it already was. The only thing that's changed is that they now know there's a problem, even if the fix isn't a simple one.

I feel Google's intentions are pure, but this is a bad idea. We try so hard to tell novice users "ignore any webpage that tells you you have malware" and now we have to train them to think "except Google" and even that might be bad because they might think anything they find from a Google search is safe.

I, too, think that this was poorly conceived as it goes against what we have been telling people for years to never click on anything in your browser that says you have a virus. If they just left it as a warning with detailed information on the infection and advice about what to do to fix it with no links at all, I could see that.

The link telling users to search for "antivirus" uses Google's encrypted (https) search, which means that the malware would also have to perform a MITM attack on the SSL connection. The malware would have to put extra effort into it to be able to hijack those (certainly not an insurmountable barrier, but does raise the bar). The same sentence that says to search for it also includes a link to tools that Google suggests (Malwarebytes, Spyware Doctor, and Mac Scan). The following sentences in that paragraph warns people doing a search about "fakes" and gives some tips to spot them.

You don't need to perform an MITM attack on the HTTPS search when Google's search engine will simply return bad results. Although you very easily could--the malware that alters the hosts file could equally install a trusted root certificate.

They can fix this so easily. Change the banner to: "If you are seeing this message, you may have harmful software on your computer. We suggest contacting a reputable repair specialist to check the status of your computer soon."

No linky, no clicky, and if it is a false positive, at least the user knows.

The link telling users to search for "antivirus" uses Google's encrypted (https) search, which means that the malware would also have to perform a MITM attack on the SSL connection. The malware would have to put extra effort into it to be able to hijack those (certainly not an insurmountable barrier, but does raise the bar).

The additional effort for a MITM attack via the proxy would be minimal. There's commercial software that already does it (eg my employer's netnanny), and probably OSS stuff as well to allow them to avoid even having to spend the effort in finding a crack/keygen for it.

The article wasn't harsh enough. This is an absoultely terrible idea. The malware authors can not only block/redirect that link, but they could spoof it too

seems to be a stupid criticism to me. If you have malware on a computer that can interfer with the browser you can do anything anyway. Why should you bother with spoofing that link. Why not download the stuff directly. I think its a nice effort by google. After all hundreds of millions of people use google and many millions of them have malware that isn't aware of the google effort. Helping them become aware of the situation seems to better than doing nothing.

Just because it doesn't help people with a not yet implemented malware infection that is aware of this threat and tries to stop it...

The article wasn't harsh enough. This is an absoultely terrible idea. The malware authors can not only block/redirect that link, but they could spoof it too

seems to be a stupid criticism to me. If you have malware on a computer that can interfer with the browser you can do anything anyway. Why should you bother with spoofing that link. Why not download the stuff directly. I think its a nice effort by google. After all hundreds of millions of people use google and many millions of them have malware that isn't aware of the google effort. Helping them become aware of the situation seems to better than doing nothing.

Just because it doesn't help people with a not yet implemented malware infection that is aware of this threat and tries to stop it...

Spoofing a well known link means that you're more inclined to trust them and give them your credit card information. I give it a week before malware authors take advantage of this.

This puzzles me. It would take little to no effort for someone to spoof the Google homepage via a tiny unathorized application/program on an infected computer. With the OS being as complex as it is and with people installing hundreds of various applications and programs and with current hardware technology allowing all of them to run w/o killing performance ... where is the logic behind this seemingly irrational move by Google? This is just inviting more bad than it does any good.

And for those of you that say, use common sense to catch a potential spoof; if people had an ounce of common sense to begin with, then they wouldn't need this from Google in the first place.

I don't understand the arguments that it does harm. What harm has Google done here that the malware authors couldn't have done on their own? It's a proxy, so they could insert this kind of "please click here" message on Google (or any other website) if they wanted to.

If the complaint is that Google's attempt to do good here has given the malware authors a good idea for doing harm, I think that's underestimating the ingenuity of malware authors.

It's an interesting move by Google that may do some good, and may lead to better efforts in the future. Casting it as a net negative seems like a conclusion in search of a rationale.

I don't understand the arguments that it does harm. What harm has Google done here that the malware authors couldn't have done on their own? It's a proxy, so they could insert this kind of "please click here" message on Google (or any other website) if they wanted to.

If the complaint is that Google's attempt to do good here has given the malware authors a good idea for doing harm, I think that's underestimating the ingenuity of malware authors.

It's an interesting move by Google that may do some good, and may lead to better efforts in the future. Casting it as a net negative seems like a conclusion in search of a rationale.

If I get a message from a website telling me my PC has been infected, I'm taking that as a red flag that the website is trying to infect me with some digital STD. The fact that Google's warning me makes me suspicious that either Google might be infected or someone is using some sort of MIM attack. In any case it doesn't make me trust Google any more.

If I get a message from a website telling me my PC has been infected, I'm taking that as a red flag that the website is trying to infect me with some digital STD. The fact that Google's warning me makes me suspicious that either Google might be infected or someone is using some sort of MIM attack. In any case it doesn't make me trust Google any more.

So, if I have this right, by Google warning you that someone is indeed using a MITM attack, you trust them less because you think that either Google is infected or someone is using a MITM attack?

Really half-assed effort. I've been warning my dad for years now never to click on ANYTHING telling him that he has viruses/malware/trojans/etc. Well better get ready in case he downloads that damned "Windows Antivirus Pro" crap for the tenth time due to this...

Really half-assed effort. I've been warning my dad for years now never to click on ANYTHING telling him that he has viruses/malware/trojans/etc. Well better get ready in case he downloads that damned "Windows Antivirus Pro" crap for the tenth time due to this...

Totally feel your pain. Any time that I've tried to help my mom with her computer (before she got a mac) she'd spend more time reading the banner-ads and trying to get me to click on them so her computer was "safe". I think that the idea of a Google "antivirus" banner-ad is a good idea for the people who haven't yet learned not to click on the damned things yet. For those of us who DON'T click on them, we're probably a lot less likely to have an infected machine, and probably more likely to already be running some type of AV already.

...

Then again, most of those people probably use Yahoo as their main search engine still.

If the complaint is that Google's attempt to do good here has given the malware authors a good idea for doing harm, I think that's underestimating the ingenuity of malware authors.

It's not underestimating their ingenuity because it goes without saying that they will take advantage of this. Google has earned a reputation (whether or not your opinion of the company itself is positive) of trust to the degree that people will use their services, mostly the search engine, over other options. Google's name carries the same stature as that of Kleenex and Kodak.

Again, it'll take little to no effort for those willing to do harm to piggyback on good intentions and "trojan horse" their way into the last remaining bastion of human intelligence on the internet.

It's not underestimating their ingenuity because it goes without saying that they will take advantage of this.

But nobody stopped them so far from doing exactly the same. If they're already rerouting and changing the requests anyhow, nothing stops them from including a "You're infected go download XYZ" banner on google sites.

Not especially useful, but I don't see how this would give attackers additional possibilities they don't already have.

The link telling users to search for "antivirus" uses Google's encrypted (https) search, which means that the malware would also have to perform a MITM attack on the SSL connection. The malware would have to put extra effort into it to be able to hijack those (certainly not an insurmountable barrier, but does raise the bar).

If malware has replaced the system's hosts file, the malware already owns the system. It could just replace the browser binary. No https for you.

Now if only they could hire some Nigerian investors to help me with my finances.

You could hire as many as you like but where could you get Nigerian currency to pay them?

Quote:

Bad idea, and I agree with many of the reasons given by the previous posters.

Google really doesn't need to (and shouldn't) get involved with this at all--not at this level.

Each single click on Google's banners from you and me will add a penny or two in Google's packet. With million of pennies from banner ads every day it makes Google's stockholders very, very happy. This is like telling Best Buy not to sell computers or things related to. No can do.